+ ## All of the rules required to administrate
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-01-15 12:44:47.000000000 +0100
+@@ -53,6 +53,39 @@
+ ##
+ gen_tunable(ftp_home_dir, false)
+
++##
++##
++## Allow anon internal-sftp to upload files, used for
++## public file transfer services. Directories must be labeled
++## public_content_rw_t.
++##
++##
++gen_tunable(sftpd_anon_write, false)
++
++##
++##
++## Allow sftp-internal to login to local users and
++## read/write all files on the system, governed by DAC.
++##
++##
++gen_tunable(sftpd_full_access, false)
++
++##
++##
++## Allow interlnal-sftp to read and write files
++## in the user ssh home directories.
++##
++##
++gen_tunable(sftpd_write_ssh_home, false)
++
++##
++##
++## Allow sftp-internal to read and write files
++## in the user home directories
++##
++##
++gen_tunable(sftp_enable_homedirs, false)
++
+ type ftpd_t;
+ type ftpd_exec_t;
+ init_daemon_domain(ftpd_t, ftpd_exec_t)
+@@ -93,6 +126,14 @@
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
+ ')
+
++type sftpd_t;
++domain_type(sftpd_t)
++role system_r types sftpd_t;
++
++type sftpd_anon_t;
++domain_type(sftpd_anon_t)
++role system_r types sftpd_anon_t;
++
+ ########################################
+ #
+ # ftpd local policy
+@@ -342,3 +383,76 @@
+ files_read_etc_files(ftpdctl_t)
+
+ userdom_use_user_terminals(ftpdctl_t)
++
++#######################################
++#
++# sftpd-anon local policy
++#
++
++files_read_etc_files(sftpd_anon_t)
++
++miscfiles_read_public_files(sftpd_anon_t)
++
++tunable_policy(`sftpd_anon_write',`
++ miscfiles_manage_public_files(sftpd_anon_t)
++')
++
++#######################################
++#
++# sftpd local policy
++#
++
++files_read_etc_files(sftpd_t)
++
++# allow read access to /home by default
++userdom_read_user_home_content_files(sftpd_t)
++userdom_read_user_home_content_symlinks(sftpd_t)
++userdom_dontaudit_list_admin_dir(sftpd_t)
++
++tunable_policy(`sftpd_full_access',`
++ allow sftpd_t self:capability { dac_override dac_read_search };
++ fs_read_noxattr_fs_files(sftpd_t)
++ auth_manage_all_files_except_shadow(sftpd_t)
++')
++
++tunable_policy(`sftpd_write_ssh_home',`
++ ssh_manage_user_home_files(sftpd_t)
++')
++
++tunable_policy(`sftp_enable_homedirs',`
++ allow sftpd_t self:capability { dac_override dac_read_search };
++
++ # allow access to /home
++ files_list_home(sftpd_t)
++ userdom_read_user_home_content_files(sftpd_t)
++ userdom_manage_user_home_content(sftpd_t)
++
++ auth_read_all_dirs_except_shadow(sftpd_t)
++ auth_read_all_files_except_shadow(sftpd_t)
++ auth_read_all_symlinks_except_shadow(sftpd_t)
++', `
++ # Needed for permissive mode, to make sure everything gets labeled correctly
++ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
++')
++
++tunable_policy(`sftp_enable_homedirs && use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(sftpd_t)
++ fs_manage_nfs_files(sftpd_t)
++ fs_manage_nfs_symlinks(sftpd_t)
++')
++
++tunable_policy(`sftp_enable_homedirs && use_samba_home_dirs',`
++ fs_manage_cifs_dirs(sftpd_t)
++ fs_manage_cifs_files(sftpd_t)
++ fs_manage_cifs_symlinks(sftpd_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(sftpd_t)
++ fs_read_cifs_symlinks(sftpd_t)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(sftpd_t)
++ fs_read_nfs_symlinks(ftpd_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
+--- nsaserefpolicy/policy/modules/services/git.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-14 20:34:07.000000000 +0100
+@@ -73,7 +73,7 @@
+ #
+
+ allow gitd_type self:fifo_file rw_fifo_file_perms;
+-allow gitd_type self:tcp_socket create_socket_perms;
++allow gitd_type self:tcp_socket create_stream_socket_perms;
+ allow gitd_type self:udp_socket create_socket_perms;
+ allow gitd_type self:unix_dgram_socket create_socket_perms;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-11 12:37:36.000000000 +0100
@@ -621,18 +827,112 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-12 18:08:14.000000000 +0100
-@@ -477,8 +477,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-15 12:33:14.000000000 +0100
+@@ -8,31 +8,6 @@
+
+ ##
+ ##
+-## Allow sftp to upload files, used for public file
+-## transfer services. Directories must be labeled
+-## public_content_rw_t.
+-##
+-##
+-gen_tunable(allow_sftpd_anon_write, false)
+-
+-##
+-##
+-## Allow sftp to login to local users and
+-## read/write all files on the system, governed by DAC.
+-##
+-##
+-gen_tunable(allow_sftpd_full_access, false)
+-
+-##
+-##
+-## Allow interlnal-sftp to read and write files
+-## in the user ssh home directories.
+-##
+-##
+-gen_tunable(sftpd_ssh_home_dir, false)
+-
+-##
+-##
+ ## allow host key based authentication
+ ##
+ ##
+@@ -69,10 +44,6 @@
+ type sshd_tmpfs_t;
+ files_tmpfs_file(sshd_tmpfs_t)
+
+-type sftpd_t;
+-domain_type(sftpd_t)
+-role system_r types sftpd_t;
+-
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -361,6 +332,11 @@
+ ')
+
+ optional_policy(`
++ ftp_dyntransition_sftpd(sshd_t)
++ ftp_dyntransition_sftpd_anon(sshd_t)
++')
++
++optional_policy(`
+ gitosis_manage_var_lib(sshd_t)
+ ')
- ssh_sigchld(sftpd_t)
+@@ -468,49 +444,3 @@
+ udev_read_db(ssh_keygen_t)
+ ')
+-#######################################
+-#
+-# sftp Local policy
+-#
+-
+-allow ssh_server sftpd_t:process dyntransition;
+-
+-ssh_sigchld(sftpd_t)
+-
-files_read_all_files(sftpd_t)
-files_read_all_symlinks(sftpd_t)
-+auth_read_all_files_except_shadow(sftpd_t)
-+auth_read_all_symlinks_except_shadow(sftpd_t)
-
- fs_read_noxattr_fs_files(sftpd_t)
- fs_read_nfs_files(sftpd_t)
+-
+-fs_read_noxattr_fs_files(sftpd_t)
+-fs_read_nfs_files(sftpd_t)
+-fs_read_cifs_files(sftpd_t)
+-
+-# allow access to /home by default
+-userdom_manage_user_home_content_dirs(sftpd_t)
+-userdom_manage_user_home_content_files(sftpd_t)
+-userdom_manage_user_home_content_symlinks(sftpd_t)
+-
+-userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+-
+-tunable_policy(`allow_sftpd_anon_write',`
+- miscfiles_manage_public_files(sftpd_t)
+-')
+-
+-tunable_policy(`allow_sftpd_full_access',`
+- allow sftpd_t self:capability { dac_override dac_read_search };
+- fs_read_noxattr_fs_files(sftpd_t)
+- auth_manage_all_files_except_shadow(sftpd_t)
+-')
+-
+-tunable_policy(`sftpd_ssh_home_dir',`
+- ssh_manage_user_home_files(sftpd_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(sftpd_t)
+- fs_manage_nfs_files(sftpd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(sftpd_t)
+- fs_manage_cifs_files(sftpd_t)
+-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-11 13:46:50.000000000 +0100
@@ -723,10 +1023,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
+--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-14 20:30:58.000000000 +0100
+@@ -125,6 +125,10 @@
+ ')
+
+ optional_policy(`
++ brctl_domtrans(hotplug_t)
++')
++
++optional_policy(`
+ consoletype_exec(hotplug_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-12 13:43:28.000000000 +0100
-@@ -872,6 +872,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-15 12:26:30.000000000 +0100
+@@ -212,6 +212,10 @@
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+@@ -872,6 +876,7 @@
optional_policy(`
unconfined_domain(initrc_t)
@@ -830,6 +1155,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-15 12:28:55.000000000 +0100
+@@ -190,6 +190,7 @@
+
+ init_use_script_fds(load_policy_t)
+ init_use_script_ptys(load_policy_t)
++init_write_script_pipes(load_policy_t)
+
+ miscfiles_read_localization(load_policy_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-08 16:35:49.000000000 +0100
@@ -909,6 +1245,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Xen store local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
+--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-15 12:24:53.000000000 +0100
+@@ -28,7 +28,7 @@
+ #
+ # All socket classes.
+ #
+-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
++define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+
+
+ #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
--- nsaserefpolicy/policy/users 2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/users 2010-01-12 13:48:30.000000000 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f5c7630..648a512 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 70%{?dist}
+Release: 71%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -456,6 +456,10 @@ exit 0
%endif
%changelog
+* Fri Jan 15 2010 Miroslav Grepl 3.6.32-71
+- Allow hotplug to transition to brctl domain
+- Fixes for sftpd
+
* Tue Jan 12 2010 Miroslav Grepl 3.6.32-70
- Move users file to selection by spec file.
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t